From c1b278e671cbc2e99b6fa4715e7325031b18de38 Mon Sep 17 00:00:00 2001 From: lwthiker Date: Sat, 10 Feb 2024 19:55:59 +0200 Subject: [PATCH 1/4] Upgrade BoringSSL version Upgrade to commit d24a38200fef19150eef00cad35b138936c08767, which is the current 'chromium-stable' tag. --- .github/workflows/build-and-test-make.yml | 2 +- Dockerfile.template | 2 +- Makefile.in | 2 +- chrome/Dockerfile | 2 +- chrome/Dockerfile.alpine | 2 +- chrome/patches/boringssl-old-ciphers.patch | 69 +++++++++++----------- 6 files changed, 41 insertions(+), 38 deletions(-) diff --git a/.github/workflows/build-and-test-make.yml b/.github/workflows/build-and-test-make.yml index a8439406..d7436690 100644 --- a/.github/workflows/build-and-test-make.yml +++ b/.github/workflows/build-and-test-make.yml @@ -12,7 +12,7 @@ on: env: NSS_VERSION: nss-3.77 - BORING_SSL_COMMIT: 3a667d10e94186fd503966f5638e134fe9fb4080 + BORING_SSL_COMMIT: d24a38200fef19150eef00cad35b138936c08767 jobs: build-and-test: diff --git a/Dockerfile.template b/Dockerfile.template index 618a76e6..73ff2e71 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -97,7 +97,7 @@ RUN tar xf ${NSS_VERSION}.tar.gz && \ {{#chrome}} # BoringSSL doesn't have versions. Choose a commit that is used in a stable # Chromium version. -ARG BORING_SSL_COMMIT=3a667d10e94186fd503966f5638e134fe9fb4080 +ARG BORING_SSL_COMMIT=d24a38200fef19150eef00cad35b138936c08767 RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \ unzip boringssl && \ mv boringssl-${BORING_SSL_COMMIT} boringssl diff --git a/Makefile.in b/Makefile.in index fb0813c3..7708643f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -13,7 +13,7 @@ BROTLI_VERSION := 1.0.9 NSS_VERSION := nss-3.92 NSS_URL := https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_92_RTM/src/nss-3.92-with-nspr-4.35.tar.gz # In case this is changed, update build-and-test-make.yml as well -BORING_SSL_COMMIT := 3a667d10e94186fd503966f5638e134fe9fb4080 +BORING_SSL_COMMIT := d24a38200fef19150eef00cad35b138936c08767 NGHTTP2_VERSION := nghttp2-1.56.0 NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.56.0/nghttp2-1.56.0.tar.bz2 CURL_VERSION := curl-8.1.1 diff --git a/chrome/Dockerfile b/chrome/Dockerfile index 69d87521..d22153e6 100644 --- a/chrome/Dockerfile +++ b/chrome/Dockerfile @@ -39,7 +39,7 @@ RUN cd brotli-${BROTLI_VERSION} && \ # BoringSSL doesn't have versions. Choose a commit that is used in a stable # Chromium version. -ARG BORING_SSL_COMMIT=3a667d10e94186fd503966f5638e134fe9fb4080 +ARG BORING_SSL_COMMIT=d24a38200fef19150eef00cad35b138936c08767 RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \ unzip boringssl && \ mv boringssl-${BORING_SSL_COMMIT} boringssl diff --git a/chrome/Dockerfile.alpine b/chrome/Dockerfile.alpine index 57e2ced2..e8bf8ac3 100644 --- a/chrome/Dockerfile.alpine +++ b/chrome/Dockerfile.alpine @@ -32,7 +32,7 @@ RUN cd brotli-${BROTLI_VERSION} && \ # BoringSSL doesn't have versions. Choose a commit that is used in a stable # Chromium version. -ARG BORING_SSL_COMMIT=3a667d10e94186fd503966f5638e134fe9fb4080 +ARG BORING_SSL_COMMIT=d24a38200fef19150eef00cad35b138936c08767 RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \ unzip boringssl && \ mv boringssl-${BORING_SSL_COMMIT} boringssl diff --git a/chrome/patches/boringssl-old-ciphers.patch b/chrome/patches/boringssl-old-ciphers.patch index 4db24ccf..8d955dd0 100644 --- a/chrome/patches/boringssl-old-ciphers.patch +++ b/chrome/patches/boringssl-old-ciphers.patch @@ -1,31 +1,30 @@ -diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f5638e134fe9fb4080/ssl/internal.h boringssl/ssl/internal.h ---- boringssl-3a667d10e94186fd503966f5638e134fe9fb4080/ssl/internal.h 2021-11-22 19:06:04.000000000 +0200 -+++ boringssl/ssl/internal.h 2022-02-27 12:20:25.308284303 +0200 -@@ -566,4 +566,10 @@ - #define SSL_SHA1 0x00000001u +diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/internal.h boringssl/ssl/internal.h +--- boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/internal.h 2023-09-27 05:13:00.000000000 +0300 ++++ boringssl/ssl/internal.h 2024-02-10 19:41:05.916013082 +0200 +@@ -577,4 +577,9 @@ + #define SSL_SHA256 0x00000002u +// curl-impersonate: -+// SSL_SHA256 and SSL_SHA384 were removed in ++// SSL_SHA384 was removed in +// https://boringssl-review.googlesource.com/c/boringssl/+/27944/ +// but restored to impersonate browsers with older ciphers. -+#define SSL_SHA256 0x00000002u +#define SSL_SHA384 0x00000004u // SSL_AEAD is set for all AEADs. --#define SSL_AEAD 0x00000002u +-#define SSL_AEAD 0x00000004u +#define SSL_AEAD 0x00000008u -diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f5638e134fe9fb4080/ssl/ssl_cipher.cc boringssl/ssl/ssl_cipher.cc ---- boringssl-3a667d10e94186fd503966f5638e134fe9fb4080/ssl/ssl_cipher.cc 2021-11-22 19:06:04.000000000 +0200 -+++ boringssl/ssl/ssl_cipher.cc 2022-02-27 13:54:05.378053046 +0200 -@@ -210,2 +210,33 @@ +diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/ssl_cipher.cc boringssl/ssl/ssl_cipher.cc +--- boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/ssl_cipher.cc 2023-09-27 05:13:00.000000000 +0300 ++++ boringssl/ssl/ssl_cipher.cc 2024-02-10 19:52:54.366879729 +0200 +@@ -199,2 +199,33 @@ + // curl-impersonate: Ciphers 3C, 3D were removed in + // https://boringssl-review.googlesource.com/c/boringssl/+/27944/ + // but restored here to impersonate browsers with older ciphers. They are + // not expected to actually work; but just to be included in the TLS + // Client Hello. -+ ++ + // TLS v1.2 ciphersuites -+ ++ + // Cipher 3C + { + TLS1_TXT_RSA_WITH_AES_128_SHA256, @@ -50,13 +49,13 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f56 + }, + // PSK cipher suites. -@@ -300,2 +331,19 @@ +@@ -289,2 +320,19 @@ + // curl-impersonate: Cipher C008 was missing from BoringSSL, + // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c) + // where it is called ECDHE-ECDSA-DES-CBC3-SHA. + // It's not supposed to really work but just appear in the TLS client hello. -+ ++ + // Cipher C008 + { + "ECDHE-ECDSA-DES-CBC3-SHA", @@ -70,7 +69,7 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f56 + }, + // Cipher C009 -@@ -324,2 +372,17 @@ +@@ -313,2 +361,17 @@ + // curl-impersonate: Cipher C012 was missing from BoringSSL, + // probably because it is weak. Add it back from OpenSSL (ssl/s3_lib.c) @@ -88,9 +87,9 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f56 + }, + // Cipher C013 -@@ -348,2 +411,55 @@ +@@ -337,2 +400,33 @@ -+ // curl-impersonate: Ciphers C023, C024, C027, C028 were removed in ++ // curl-impersonate: Ciphers C023, C024, C028 were removed in + // https://boringssl-review.googlesource.com/c/boringssl/+/27944/ + // but restored here to impersonate browsers with older ciphers. They are + // not expected to actually work; but just to be included in the TLS @@ -120,17 +119,10 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f56 + SSL_SHA384, + SSL_HANDSHAKE_MAC_SHA384, + }, -+ // Cipher C027 -+ { -+ TLS1_TXT_ECDHE_RSA_WITH_AES_128_SHA256, -+ "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", -+ TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256, -+ SSL_kECDHE, -+ SSL_aRSA, -+ SSL_AES128, -+ SSL_SHA256, -+ SSL_HANDSHAKE_MAC_SHA256, -+ }, ++ + // Cipher C027 +@@ -349,2 +443,14 @@ + + // Cipher C028 + { + TLS1_TXT_ECDHE_RSA_WITH_AES_256_SHA384, @@ -144,11 +136,22 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-3a667d10e94186fd503966f56 + }, + // GCM based TLS v1.2 ciphersuites from RFC 5289 -@@ -539,2 +655,7 @@ - {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0}, +@@ -555,2 +661,7 @@ + {"SHA1", ~0u, ~0u, ~0u, SSL_SHA1, 0}, + // curl-impersonate: + // Removed in https://boringssl-review.googlesource.com/c/boringssl/+/27944/ + // but restored to impersonate browsers with older ciphers. + {"SHA256", ~0u, ~0u, ~0u, SSL_SHA256, 0}, + {"SHA384", ~0u, ~0u, ~0u, SSL_SHA384, 0}, - + {"SHA", ~0u, ~0u, ~0u, SSL_SHA1, 0}, +@@ -1170,2 +1281,10 @@ + SSL3_CK_RSA_DES_192_CBC3_SHA & 0xffff, ++ // curl-impersonate: add legacy cipehrs. ++ TLS1_CK_RSA_WITH_AES_128_SHA256 & 0xffff, ++ TLS1_CK_RSA_WITH_AES_256_SHA256 & 0xffff, ++ 0x0300C008 & 0xffff, ++ 0x0300C012 & 0xffff, ++ TLS1_CK_ECDHE_ECDSA_WITH_AES_128_SHA256 & 0xffff, ++ TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 & 0xffff, ++ TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 & 0xffff, + }; From 79942b00ea07a508a50e332401eb47beb94ff59d Mon Sep 17 00:00:00 2001 From: lwthiker Date: Thu, 29 Feb 2024 19:58:00 +0200 Subject: [PATCH 2/4] Update BoringSSL patch to handle Safari quirks --- chrome/patches/boringssl-old-ciphers.patch | 89 +++++++++++++++++++++- 1 file changed, 87 insertions(+), 2 deletions(-) diff --git a/chrome/patches/boringssl-old-ciphers.patch b/chrome/patches/boringssl-old-ciphers.patch index 8d955dd0..ff3112d4 100644 --- a/chrome/patches/boringssl-old-ciphers.patch +++ b/chrome/patches/boringssl-old-ciphers.patch @@ -1,6 +1,6 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/internal.h boringssl/ssl/internal.h --- boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/internal.h 2023-09-27 05:13:00.000000000 +0300 -+++ boringssl/ssl/internal.h 2024-02-10 19:41:05.916013082 +0200 ++++ boringssl/ssl/internal.h 2024-02-29 20:02:32.711209565 +0200 @@ -577,4 +577,9 @@ #define SSL_SHA256 0x00000002u +// curl-impersonate: @@ -14,7 +14,7 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/ssl_cipher.cc boringssl/ssl/ssl_cipher.cc --- boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/ssl_cipher.cc 2023-09-27 05:13:00.000000000 +0300 -+++ boringssl/ssl/ssl_cipher.cc 2024-02-10 19:52:54.366879729 +0200 ++++ boringssl/ssl/ssl_cipher.cc 2024-02-29 20:02:32.711209565 +0200 @@ -199,2 +199,33 @@ + // curl-impersonate: Ciphers 3C, 3D were removed in @@ -155,3 +155,88 @@ diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad + TLS1_CK_ECDHE_ECDSA_WITH_AES_256_SHA384 & 0xffff, + TLS1_CK_ECDHE_RSA_WITH_AES_256_SHA384 & 0xffff, }; +diff -u1 -Nar --exclude build --exclude tags boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/ssl_privkey.cc boringssl/ssl/ssl_privkey.cc +--- boringssl-d24a38200fef19150eef00cad35b138936c08767/ssl/ssl_privkey.cc 2023-09-27 05:13:00.000000000 +0300 ++++ boringssl/ssl/ssl_privkey.cc 2024-02-29 21:26:15.518023534 +0200 +@@ -560,40 +560,45 @@ + +-static int compare_uint16_t(const void *p1, const void *p2) { +- uint16_t u1 = *((const uint16_t *)p1); +- uint16_t u2 = *((const uint16_t *)p2); +- if (u1 < u2) { +- return -1; +- } else if (u1 > u2) { +- return 1; +- } else { +- return 0; +- } +-} +- +-static bool sigalgs_unique(Span in_sigalgs) { +- if (in_sigalgs.size() < 2) { +- return true; +- } +- +- Array sigalgs; +- if (!sigalgs.CopyFrom(in_sigalgs)) { +- return false; +- } +- +- qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t); +- +- for (size_t i = 1; i < sigalgs.size(); i++) { +- if (sigalgs[i - 1] == sigalgs[i]) { +- OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM); +- return false; +- } +- } +- +- return true; +-} ++// curl-impersonate: Remove the uniqueness check. Older Safari versions (15) ++// send out duplicated algorithm prefs. ++// static int compare_uint16_t(const void *p1, const void *p2) { ++// uint16_t u1 = *((const uint16_t *)p1); ++// uint16_t u2 = *((const uint16_t *)p2); ++// if (u1 < u2) { ++// return -1; ++// } else if (u1 > u2) { ++// return 1; ++// } else { ++// return 0; ++// } ++// } ++ ++// static bool sigalgs_unique(Span in_sigalgs) { ++// if (in_sigalgs.size() < 2) { ++// return true; ++// } ++// ++// Array sigalgs; ++// if (!sigalgs.CopyFrom(in_sigalgs)) { ++// return false; ++// } ++// ++// qsort(sigalgs.data(), sigalgs.size(), sizeof(uint16_t), compare_uint16_t); ++// ++// for (size_t i = 1; i < sigalgs.size(); i++) { ++// if (sigalgs[i - 1] == sigalgs[i]) { ++// OPENSSL_PUT_ERROR(SSL, SSL_R_DUPLICATE_SIGNATURE_ALGORITHM); ++// return false; ++// } ++// } ++// ++// return true; ++// } + + static bool set_sigalg_prefs(Array *out, Span prefs) { +- if (!sigalgs_unique(prefs)) { +- return false; +- } ++ // curl-impersonate: Remove the uniqueness check. Older Safari versions (15) ++ // send out duplicated algorithm prefs. ++ ++ // if (!sigalgs_unique(prefs)) { ++ // return false; ++ // } + From 43c4b38ef984ba09f839a532bc150e2120ebccd9 Mon Sep 17 00:00:00 2001 From: lwthiker Date: Thu, 29 Feb 2024 22:01:52 +0200 Subject: [PATCH 3/4] Install newer version of Go lang using Snap in CI --- .github/workflows/build-and-test-make.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-test-make.yml b/.github/workflows/build-and-test-make.yml index d7436690..0ada439d 100644 --- a/.github/workflows/build-and-test-make.yml +++ b/.github/workflows/build-and-test-make.yml @@ -54,7 +54,7 @@ jobs: sudo apt-get update sudo apt-get install build-essential pkg-config cmake ninja-build curl autoconf automake libtool # Chrome version dependencies - sudo apt-get install golang-go + sudo snap install go --classic # Needed to compile 'minicurl' sudo apt-get install libcurl4-openssl-dev # More dependencies for the tests From 6d04ffee275e040a3cb7da33e09aa1d3bcc85bfd Mon Sep 17 00:00:00 2001 From: lwthiker Date: Thu, 29 Feb 2024 22:38:23 +0200 Subject: [PATCH 4/4] Use an even newer version of BoringSSL Use the latest 'chromium-stable' tag, which has fixes for compiling with gcc 13. --- .github/workflows/build-and-test-make.yml | 2 +- Dockerfile.template | 2 +- Makefile.in | 2 +- chrome/Dockerfile | 2 +- chrome/Dockerfile.alpine | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-and-test-make.yml b/.github/workflows/build-and-test-make.yml index 0ada439d..e556d6e7 100644 --- a/.github/workflows/build-and-test-make.yml +++ b/.github/workflows/build-and-test-make.yml @@ -12,7 +12,7 @@ on: env: NSS_VERSION: nss-3.77 - BORING_SSL_COMMIT: d24a38200fef19150eef00cad35b138936c08767 + BORING_SSL_COMMIT: 1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc jobs: build-and-test: diff --git a/Dockerfile.template b/Dockerfile.template index 73ff2e71..5a510227 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -97,7 +97,7 @@ RUN tar xf ${NSS_VERSION}.tar.gz && \ {{#chrome}} # BoringSSL doesn't have versions. Choose a commit that is used in a stable # Chromium version. -ARG BORING_SSL_COMMIT=d24a38200fef19150eef00cad35b138936c08767 +ARG BORING_SSL_COMMIT=1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \ unzip boringssl && \ mv boringssl-${BORING_SSL_COMMIT} boringssl diff --git a/Makefile.in b/Makefile.in index 7708643f..df720aab 100644 --- a/Makefile.in +++ b/Makefile.in @@ -13,7 +13,7 @@ BROTLI_VERSION := 1.0.9 NSS_VERSION := nss-3.92 NSS_URL := https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_92_RTM/src/nss-3.92-with-nspr-4.35.tar.gz # In case this is changed, update build-and-test-make.yml as well -BORING_SSL_COMMIT := d24a38200fef19150eef00cad35b138936c08767 +BORING_SSL_COMMIT := 1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc NGHTTP2_VERSION := nghttp2-1.56.0 NGHTTP2_URL := https://github.com/nghttp2/nghttp2/releases/download/v1.56.0/nghttp2-1.56.0.tar.bz2 CURL_VERSION := curl-8.1.1 diff --git a/chrome/Dockerfile b/chrome/Dockerfile index d22153e6..1c710f9e 100644 --- a/chrome/Dockerfile +++ b/chrome/Dockerfile @@ -39,7 +39,7 @@ RUN cd brotli-${BROTLI_VERSION} && \ # BoringSSL doesn't have versions. Choose a commit that is used in a stable # Chromium version. -ARG BORING_SSL_COMMIT=d24a38200fef19150eef00cad35b138936c08767 +ARG BORING_SSL_COMMIT=1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \ unzip boringssl && \ mv boringssl-${BORING_SSL_COMMIT} boringssl diff --git a/chrome/Dockerfile.alpine b/chrome/Dockerfile.alpine index e8bf8ac3..5336b087 100644 --- a/chrome/Dockerfile.alpine +++ b/chrome/Dockerfile.alpine @@ -32,7 +32,7 @@ RUN cd brotli-${BROTLI_VERSION} && \ # BoringSSL doesn't have versions. Choose a commit that is used in a stable # Chromium version. -ARG BORING_SSL_COMMIT=d24a38200fef19150eef00cad35b138936c08767 +ARG BORING_SSL_COMMIT=1b7fdbd9101dedc3e0aa3fcf4ff74eacddb34ecc RUN curl -L https://github.com/google/boringssl/archive/${BORING_SSL_COMMIT}.zip -o boringssl.zip && \ unzip boringssl && \ mv boringssl-${BORING_SSL_COMMIT} boringssl